Easily deny access to multiple folders on nginx?

Freek

Hi,

I installed a script yesterday for which I need to disallow web access to some directories.
In Apache, you could do this with an .htaccess file.
Nginx doesn't support .htaccess files. However, I do see this in the nginx conf file:

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}

I though uncommenting these lines would make nginx block all webaccess to folders containing .ht files, but it doesn't.

How do you guys block web access to multiple folders easily?

Thanks

vedran

Actually I think that only blocks access to .ht files, not the folder the files are in.

I'm not sure if there is any other way except

location ~ /folder {
        deny  all;
}

Freek

Thanks for the reply @vedran
Hmm okay. So if I have 10 folders to block, I would have to enter them all manually?
Let's say I have 10 folders located in /home/domains/blabla/site
do I enter them like this?

location ~ /home/domains/blabla/site/folder1 {
        deny  all;
}
location ~ /home/domains/blabla/site/folder2 {
        deny  all;
}
etc

Thanks

vedran

If your root folder is /home/domains/blabla/site, you should be able to

location ~ /(folder1|folder2|folder3|...) {
        deny  all;
}

sleddog

vedran's solution will work, bit be sure to place it before other location directives that might take precedence.

For example if you have:

location ~ \.php$ {
  # do stuff to enable php
}
location ~ /(folder1|folder2|folder3) {
  deny  all;
}

Then browsing to example.com/folder1 will give "permission denied", but browsing to example.com/folder1/somefile.php will be allowed.

To fix that, change the order of the location directives:

location ~ /(folder1|folder2|folder3) {
  deny  all;
}
location ~ \.php$ {
  # do stuff to enable php
}

But (going back to the original question) if web access to the folders is not required at all, a better solution would be to remove them entirely from browseable space.

yomero

And also, the common user/password auth

http://wiki.nginx.org/HttpAuthBasicModule

Freek

Thanks for the replies guys, really appreciate it

Alright then. I was hoping there was some way of having nginx automatically block web access to a directory as soon it finds an .htaccess file in the folder but sadly that's not possible.

I cannot remove them from browseable space as they are part of a script which needs to access to those folders to operate successfully.

dnom

@Freek said: I cannot remove them from browseable space as they are part of a script which needs to access to those folders to operate successfully.

Are those parts of the scripts not accessed locally?

sleddog

@Freek said: I cannot remove them from browseable space as they are part of a script which needs to access to those folders to operate successfully.

If the script is using include() or require() or reading/writing data, it's doing it by filesystem access. It just needs to know the filesystem path to folder1, etc. And that path can be outside of nginx's webspace.

On the other hand, if the script is using http to access those folders, then it's gonna fail once you block the folders in nginx!

Freek

@dnom Yes they are accessed locally, but they are located in the same directory as other folders which do need webaccess.

@sleddog AFAIK it's not using http access.

Here's an excerpt from the readme of the script I'm using

Files and folders permissions
//////////////////////////////////////////

For security reason, the web server must have read access for all folders and files of PMA.

But, to works properlly, PMA needs write access to following folders:
avatars/
cache/
config/
logs/
sessions/
tmp/

Also, PMA include a .htaccess file in all subfolder to deny web access.
But it's works only for apache, and only if the web admin permit to use .htaccess files.

Web access must be denied for all file and folder except:
avatars/
docs/
locales/
cmd/
images/
install/
js/
styles/

sleddog

PhpMyAdmin?

What I do with admin scripts like this -- which should be accessible only by me -- is make an admin directory, password-protect it, and put them in there.

example.com/admin/phpmyadmin/

Access to anything inside /admin requires a username/password. And yes, the username/password is different from the phpmyadmin login

sleddog

Oh, and get https working. A self-signed cert is fine. So all your admin stuff is accessed at https://example.com/admin/

Freek

No, PhpMumbleAdmin
http://sourceforge.net/projects/phpmumbleadmin/

That's also an idea yes but I have to set it up for public use...

vedran

I use phpminiadmin. It's just one PHP file and it does the trick.

Edit: that's instead PhpMyAdmin, not PhpMumbleAdmin, of course

sleddog

@Freek said: but I have to set it up for public use...

OK, so forget everything I said Go back to @vedran's suggestion and use "location" to block access to those folders.

Corey

@sleddog said: OK, so forget everything I said Go back to @vedran's suggestion and use "location" to block access to those folders.

I did this as well, but I wonder if we can somehow authorize an administrator to access those?

Centaur

I prefer Adminer to phpminiadmin, much better interface and more features, similar to PhpMyAdmin. http://www.adminer.org/

Edit: I just realized this actually a really old topic. Sorry